Author
Topic: Linux bash exploit discovered (Read 14092 times)

"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

Also awful is "and confirmed its presence in bash for an extended period of time".

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

(Glancing at the article for snips)"...has been given the name Shellshock by some"

"this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed."

It's like a war now. "My heart is bleeding, and now I have shellshock."

Meanwhile in a tangentially related article I don't have the link to this minute, someone reported that hackers want medical data even more than credit cards now, and it remarked that hospitals don't always have top-notch IT departments. So if someone gets into some medical equipment, that could cause a mess!!Robin Cook, where are you?

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

With thanks to Ars Technica. More info on this vulnerability test and what it means can be found in thisarticle.

Several major distros already have the first pass patches uploaded to their repositories so the normal software updates should handle getting the patch to you. Check with your distro website for more info.

Soon there will be a "recommendation" to turn off all devices and just go out and talk personally? I don't think I am exaggerating when I say we are at a tipping point or cross roads and not just technologically speaking. A war there, a hack there, a criminal over there, a new enemy over in the other place, etc.

At some point humanity should decide if it wants to try a future ala Star Trek or just give up and just nuke each other to oblivion

As I understand it, it's not just Linux. It's pretty much anything with bash. This includes Unix systems, OSX, Linux, Internet of Things (toasters, thermostats, lightbulbs), routers, and even some tools for Windows that include bash.